Jump to content

Malwarebytes Broke File Associations


Recommended Posts

So I ended up with the PITA Win 7 Security 2012 virus and I managed to get MBAM open by running spybot search and destroy first, then I ran MBAM which eradicated the virus but then it destroyed all the file associations. I managed to fix most by getting CCleaner open and running the registry fix but now I have some startup things (and maybe more that I don't know about) that can't find a specified program. What can I do to fix all these borked file associations? CCleaner is finding no more issues.

Link to post
Share on other sites

Greetings :)

It was the infection that broke file associations (it had set itself to execute whenever an exe did, so when Malwarebytes removed the infection, the association remained broken). Please try exeHelper as described in this tutorial to see if it corrects the issues or not. If it does not completely resolve the problems, then please do the following:

Please read and follow the directions here, skipping any steps you are unable to complete. Then create a NEW topic here.

One of the expert helpers there will give you one on one assistance when one becomes available.

Please note that it may take 48 hours or more for you to receive a response in the malware removal forum, as it is often busy at times. Please do not reply to your own post asking for help unless its been more than 48 hours since you originally posted, as this can make it appear as though you are being helped and take longer for you to get help.

If you are unable to do all or any of the steps in the link to the directions above, just post your problem into the forum I gave you a link to anyway and someone will be able to assist you.

If you prefer to be assisted via email you may contact support@malwarebytes.org and one of our support staff members will assist you directly.

If you are a reseller, affiliate, technician, corporate, business, educational, government or non-profit customer then please contact corporate-support@malwarebytes.org and include full contact details along with your Reference # when you do to ensure that you receive prompt assistance.

Thank you :)

Link to post
Share on other sites

Just curious do you have the adaware log?

Thanks!

Where do I find this? I may actually need help as I have weird processes showing up. I ran combo fix just now, here's the log for that:

ComboFix 11-12-17.05 - Administrator 12/17/2011 18:20:27.1.4 - x64

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8183.6487 [GMT -6:00]

Running from: c:\users\Administrator\Desktop\ComboFix.exe

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\consrv.dll

c:\windows\System64

D:\install.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-11-18 to 2011-12-18 )))))))))))))))))))))))))))))))

.

.

2011-12-18 00:22 . 2011-12-18 00:22 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-12-17 22:01 . 2011-11-18 03:56 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-12-17 20:38 . 2011-12-17 20:38 -------- d-----w- c:\users\Administrator\AppData\Local\Apps

2011-12-15 22:41 . 2011-12-18 00:23 -------- d-----w- c:\programdata\NVIDIA

2011-12-15 22:41 . 2011-12-15 22:41 -------- d-----w- c:\program files (x86)\NVIDIA Corporation

2011-12-15 22:41 . 2011-12-15 22:41 -------- d-----w- c:\users\UpdatusUser

2011-12-15 22:41 . 2011-11-24 02:47 6004544 ----a-w- c:\windows\system32\nvcpl.dll

2011-12-15 22:41 . 2011-11-24 02:41 3028800 ----a-w- c:\windows\system32\nvsvc64.dll

2011-12-15 22:41 . 2011-11-24 02:38 2562368 ----a-w- c:\windows\system32\nvsvcr.dll

2011-12-15 22:41 . 2011-11-24 02:38 889664 ----a-w- c:\windows\system32\nvvsvc.exe

2011-12-15 22:41 . 2011-11-24 02:38 63296 ----a-w- c:\windows\system32\nvshext.dll

2011-12-15 22:41 . 2011-11-24 02:38 118080 ----a-w- c:\windows\system32\nvmctray.dll

2011-12-15 01:02 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B89226A1-4668-43A9-B3CC-175DCADED37D}\mpengine.dll

2011-12-12 23:29 . 2011-12-12 23:33 -------- d-----w- C:\Trine.2.REPACK-SRN

2011-12-11 15:41 . 2011-12-11 15:41 -------- d-----w- c:\users\Administrator\AppData\Roaming\Trine2

2011-12-11 15:41 . 2011-12-11 15:41 -------- d-----w- c:\programdata\RELOADED

2011-11-24 01:29 . 2011-11-24 01:29 406336 ----a-w- c:\windows\SysWow64\nvStreaming.exe

2011-11-18 03:54 . 2011-11-03 18:06 69376 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-11-18 03:54 . 2011-11-18 03:54 -------- d-----w- c:\program files (x86)\Lavasoft

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-16 23:12 . 2011-06-12 13:22 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-11-04 02:28 . 2010-12-03 03:11 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2011-09-29 16:29 . 2011-11-09 21:37 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]

"CTxfiHlp"="CTXFIHLP.EXE" [2010-07-08 24576]

"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]

"125.252.224.88,255.255.255.252,192.168.0.12,1"=""

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-06 136176]

R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2011-11-24 2348864]

R3 ALSysIO;ALSysIO;c:\users\ADMINI~1\AppData\Local\Temp\ALSysIO64.sys [x]

R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-12-03 79360]

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-12-02 79360]

R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [x]

R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [x]

R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-06 136176]

R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-11-03 2152152]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-11-18 17152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 PROCEXP151;PROCEXP151;c:\windows\system32\Drivers\PROCEXP151.SYS [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 DAUpdaterSvc;Dragon Age: Origins Updater;c:\program files (x86)\Steam\steamapps\common\dragon age ultimate edition\bin_ship\DAUpdaterSvc.Service.exe [2011-07-17 25832]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys [x]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-11-24 381248]

S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [x]

S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [x]

S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [x]

S3 ha20x22k;Creative 20X2 HAL Driver;c:\windows\system32\drivers\ha20x22k.sys [x]

S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys [x]

S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [x]

S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [x]

S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys [x]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]

S3 RTCore64;RTCore64;c:\program files (x86)\EVGA Precision\RTCore64.sys [2011-08-31 14440]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

S3 V0410Dev;Creative Camera VF0410 Driver;c:\windows\system32\DRIVERS\V0410Dev.sys [x]

S3 V0410Vfx;Creative Camera VF0410 Video VFX Driver;c:\windows\system32\DRIVERS\V0410Vfx.sys [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-06 05:34]

.

2011-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-06 05:34]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1680976]

"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2010-11-16 104008]

"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 825184]

"combofix"="c:\combofix\CF10644.3XE" [2010-11-20 345088]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]

"125.252.224.88,255.255.255.252,192.168.0.12,1"=""

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uDefault_Search_URL = hxxp://www.google.com/cse?sa=Search&cx=partner-pub-3451140814115289:q9affw-svha&ie=UTF-8&q=&sa=Search

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\nbrmqklx.default\

FF - prefs.js: browser.search.selectedEngine - Google.com (in English)

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKCU-Run-AdobeBridge - (no file)

AddRemove-{8833FFB6-5B0C-4764-81AA-06DFEED9A476} - c:\program files (x86)\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,cf,49,52,4b,2d,56,c5,4b,af,8f,7f,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8b,43,bd,65,48,5d,11,4b,8a,1b,a3,\

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.3G2"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.3GP"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.3G2"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.3GP"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.ADTS"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.ADTS"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADTS\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.ADTS"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.AIFF"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.AIFF"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.AIFF"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.ASF"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.ASX"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.AU"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Applications\\vlc.exe"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.CDA"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.divx\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Applications\\vlc.exe"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (Administrator)

"Progid"="ThunderbirdEML"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Applications\\OIS.EXE"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]

@Denied: (2) (Administrator)

"Progid"="FirefoxHTML"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]

@Denied: (2) (Administrator)

"Progid"="FirefoxHTML"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2T\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.M2TS"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2TS\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.M2TS"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.m3u"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]

@Denied: (2) (Administrator)

"Progid"="VLC.m4a"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MP4"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MIDI"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MIDI"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mkv\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Applications\\vlc.exe"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Applications\\vlc.exe"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MP3"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]

@Denied: (2) (Administrator)

"Progid"="VLC.mp3"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Applications\\vlc.exe"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MP4"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MPEG"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MTS\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.M2TS"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nfo\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Applications\\notepad.exe"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Applications\\AcroRd32.exe"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.MIDI"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]

@Denied: (2) (Administrator)

"Progid"="FirefoxHTML"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.AU"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.TTS"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.TTS"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]

@Denied: (2) (Administrator)

"Progid"="VLC.wav"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WAX"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdseml\UserChoice]

@Denied: (2) (Administrator)

"Progid"="ThunderbirdEML"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.ASF"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WMA"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WMD"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WMS"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WMV"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.ASX"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WMZ"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WPL"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]

@Denied: (2) (Administrator)

"Progid"="WMP11.AssocFile.WVX"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]

@Denied: (2) (Administrator)

"Progid"="FirefoxHTML"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]

@Denied: (2) (Administrator)

"Progid"="FirefoxHTML"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xvid\UserChoice]

@Denied: (2) (Administrator)

"Progid"="Applications\\vlc.exe"

.

[HKEY_USERS\S-1-5-21-1497164909-698118877-2236069649-500\Software\SecuROM\License information*]

"datasecu"=hex:1a,18,65,4c,89,0c,13,da,35,66,1d,e4,b8,5b,76,f5,46,0f,05,12,fd,

94,05,bd,2b,d8,ca,cd,49,78,83,ee,b6,fb,d2,ba,7c,8a,16,ed,0b,bb,85,3d,d1,31,\

"rkeysecu"=hex:10,43,f9,db,59,df,f8,a1,fc,5a,9f,a0,5f,4d,b6,d2

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]

"value"="?\09\05\1e\093!?"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe

c:\program files (x86)\Bonjour\mDNSResponder.exe

c:\program files (x86)\EVGA Precision\EVGAPrecision.exe

c:\windows\SysWOW64\Ctxfihlp.exe

c:\windows\SysWOW64\CTXFISPI.EXE

.

**************************************************************************

.

Completion time: 2011-12-17 18:25:07 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-18 00:25

.

Pre-Run: 53,686,030,336 bytes free

Post-Run: 53,243,187,200 bytes free

.

- - End Of File - - 8B86BE368D05774A4C66409EF51D6C14

Link to post
Share on other sites

Ok, I found the Ad-aware log, here it is:

Logfile created: 12/17/2011 14:54:46

Ad-Aware version: 9.6.0

Extended engine: 3

Extended engine version: 3.1.2770

User performing scan: Administrator

*********************** Definitions database information ***********************

Lavasoft definition file: 150.653

Genotype definition file version: 2011/09/21 13:56:01

Extended engine definition file: 11267.0

******************************** Scan results: *********************************

Scan profile name: Default Profile (ID: defaultprofile)

Objects scanned: 175474

Objects detected: 7

Type Detected

==========================

Processes.......: 0

Registry entries: 0

Hostfile entries: 0

Files...........: 3

Folders.........: 0

LSPs............: 0

Cookies.........: 4

Browser hijacks.: 0

MRU objects.....: 0

Removed items:

Description: c:\windows\assembly\temp\u\000000cf.@ Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 641d61902ae96341113c5c023984b719

Description: c:\windows\assembly\temp\u\80000004.@ Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: cad5f92045b581a877ec5cb1b738233d

Description: c:\windows\assembly\temp\u\80000032.@ Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: bf3f80614938cba6d41ffa8ce5d37fc0

Description: *pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408826 Family ID: 0

Description: *ads.pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408927 Family ID: 0

Description: *pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408826 Family ID: 0

Description: *ads.pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408927 Family ID: 0

Scan and cleaning complete: Finished correctly after 2089 seconds

*********************************** Settings ***********************************

Scan profile:

ID: defaultprofile, enabled:1, value: Default Profile

ID: folderstoscan, enabled:1, value: C:\

ID: useantivirus, enabled:1, value: true

ID: sections, enabled:1

ID: scancriticalareas, enabled:1, value: true

ID: scanrunningapps, enabled:1, value: true

ID: scanregistry, enabled:1, value: true

ID: scanlsp, enabled:1, value: true

ID: scanads, enabled:1, value: true

ID: scanhostsfile, enabled:1, value: true

ID: scanmru, enabled:1, value: true

ID: scanbrowserhijacks, enabled:1, value: true

ID: scantrackingcookies, enabled:1, value: true

ID: closebrowsers, enabled:1, value: true

ID: filescanningoptions, enabled:1

ID: archives, enabled:1, value: true

ID: onlyexecutables, enabled:1, value: false

ID: skiplargerthan, enabled:1, value: 20480

ID: scanrootkits, enabled:1, value: true

ID: rootkitlevel, enabled:1, value: mild, domain: medium,mild,strict

ID: usespywareheuristics, enabled:1, value: true

Scan global:

ID: global, enabled:1

ID: addtocontextmenu, enabled:1, value: true

ID: playsoundoninfection, enabled:1, value: false

ID: soundfile, enabled:0, value: N/A

Scheduled scan settings:

<Empty>

Update settings:

ID: updates, enabled:1

ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently

ID: deffiles, enabled:1, value: dontcheck, domain: dontcheck,downloadandinstall

ID: licenseandinfo, enabled:1, value: dontcheck, domain: dontcheck,downloadandinstall

ID: schedules, enabled:1, value: true

ID: updatedaily1, enabled:1, value: Daily 1

ID: time, enabled:1, value: Thu Nov 17 21:54:00 2011

ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: false

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: false

ID: thursday, enabled:1, value: false

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: false

ID: sunday, enabled:1, value: false

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

ID: updatedaily2, enabled:1, value: Daily 2

ID: time, enabled:1, value: Thu Nov 17 03:54:00 2011

ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: false

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: false

ID: thursday, enabled:1, value: false

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: false

ID: sunday, enabled:1, value: false

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

ID: updatedaily3, enabled:1, value: Daily 3

ID: time, enabled:1, value: Thu Nov 17 09:54:00 2011

ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: false

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: false

ID: thursday, enabled:1, value: false

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: false

ID: sunday, enabled:1, value: false

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

ID: updatedaily4, enabled:1, value: Daily 4

ID: time, enabled:1, value: Thu Nov 17 15:54:00 2011

ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: false

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: false

ID: thursday, enabled:1, value: false

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: false

ID: sunday, enabled:1, value: false

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

ID: updateweekly1, enabled:1, value: Weekly

ID: time, enabled:1, value: Thu Nov 17 21:54:00 2011

ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: false

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: false

ID: thursday, enabled:1, value: true

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: false

ID: sunday, enabled:1, value: true

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:

ID: appearance, enabled:1

ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource

ID: showtrayicon, enabled:1, value: false

ID: autoentertainmentmode, enabled:1, value: false

ID: guimode, enabled:1, value: mode_advanced, domain: mode_advanced,mode_simple

ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:

ID: realtime, enabled:1

ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant

ID: layers, enabled:1

ID: useantivirus, enabled:1, value: true

ID: usespywareheuristics, enabled:1, value: false

ID: maintainbackup, enabled:1, value: true

ID: modules, enabled:1

ID: processprotection, enabled:0, value: false

ID: onaccessprotection, enabled:0, value: true

ID: registryprotection, enabled:0, value: true

ID: networkprotection, enabled:0, value: true

****************************** System information ******************************

Computer name: THEHANEYS-PC

Processor name: Intel® Core i5 CPU 760 @ 2.80GHz

Processor identifier: Intel64 Family 6 Model 30 Stepping 5

Processor speed: ~3623MHZ

Raw info: processorarchitecture 9, processortype 8664, processorlevel 6, processor revision 7685, number of processors 4, processor features: [MMX,SSE,SSE2,SSE3]

Physical memory available: 6087155712 bytes

Physical memory total: 8580616192 bytes

Virtual memory available: 1892990976 bytes

Virtual memory total: 2147352576 bytes

Memory load: 29%

Microsoft Service Pack 1 (build 7601)

Windows startup mode:

Running processes:

PID: 420 name: C:\Windows\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY

PID: 540 name: C:\Windows\System32\csrss.exe owner: SYSTEM domain: NT AUTHORITY

PID: 632 name: C:\Windows\System32\wininit.exe owner: SYSTEM domain: NT AUTHORITY

PID: 640 name: C:\Windows\System32\csrss.exe owner: SYSTEM domain: NT AUTHORITY

PID: 688 name: C:\Windows\System32\services.exe owner: SYSTEM domain: NT AUTHORITY

PID: 708 name: C:\Windows\System32\lsass.exe owner: SYSTEM domain: NT AUTHORITY

PID: 716 name: C:\Windows\System32\lsm.exe owner: SYSTEM domain: NT AUTHORITY

PID: 776 name: C:\Windows\System32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY

PID: 864 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 928 name: C:\Windows\System32\nvvsvc.exe owner: SYSTEM domain: NT AUTHORITY

PID: 952 name: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1000 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY

PID: 560 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 644 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 712 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1128 name: C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1200 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 1320 name: C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1332 name: C:\Windows\System32\nvvsvc.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1376 name: C:\Windows\System32\WUDFHost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 1480 name: C:\Windows\System32\WUDFHost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 1592 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY

PID: 1788 name: C:\Windows\System32\dwm.exe owner: Administrator domain: TheHaneys-PC

PID: 1816 name: C:\Windows\explorer.exe owner: Administrator domain: TheHaneys-PC

PID: 1904 name: C:\Windows\System32\taskhost.exe owner: Administrator domain: TheHaneys-PC

PID: 1912 name: C:\Windows\System32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY

PID: 2028 name: C:\Windows\System32\taskeng.exe owner: Administrator domain: TheHaneys-PC

PID: 1556 name: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1620 name: C:\Program Files (x86)\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1688 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 1796 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 2080 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 2172 name: C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE owner: SYSTEM domain: NT AUTHORITY

PID: 2264 name: C:\Program Files (x86)\EVGA Precision\EVGAPrecision.exe owner: Administrator domain: TheHaneys-PC

PID: 2556 name: C:\Windows\System32\SearchIndexer.exe owner: SYSTEM domain: NT AUTHORITY

PID: 2704 name: C:\Program Files\Logitech\SetPointP\SetPoint.exe owner: Administrator domain: TheHaneys-PC

PID: 2716 name: C:\Program Files\Logitech Gaming Software\LCore.exe owner: Administrator domain: TheHaneys-PC

PID: 2724 name: C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe owner: Administrator domain: TheHaneys-PC

PID: 2732 name: C:\Program Files\Windows Sidebar\sidebar.exe owner: Administrator domain: TheHaneys-PC

PID: 2752 name: C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE owner: SYSTEM domain: NT AUTHORITY

PID: 1684 name: C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe owner: Administrator domain: TheHaneys-PC

PID: 2316 name: C:\Windows\System32\SearchProtocolHost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 2832 name: C:\Windows\SysWOW64\Ctxfihlp.exe owner: Administrator domain: TheHaneys-PC

PID: 3636 name: C:\Windows\SysWOW64\CTxfispi.exe owner: Administrator domain: TheHaneys-PC

PID: 2972 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 2892 name: C:\Windows\System32\taskhost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 3288 name: C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe owner: SYSTEM domain: NT AUTHORITY

PID: 2876 name: C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe owner: UpdatusUser domain: TheHaneys-PC

PID: 4052 name: C:\Windows\System32\wuauclt.exe owner: Administrator domain: TheHaneys-PC

PID: 2616 name: C:\Windows\SysWOW64\PING.EXE owner: SYSTEM domain: NT AUTHORITY

PID: 2232 name: C:\Windows\System32\conhost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1392 name: C:\Windows\System32\taskhost.exe owner: Administrator domain: TheHaneys-PC

PID: 4184 name: C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1724 name: C:\Windows\System32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY

PID: 4608 name: C:\Windows\System32\wbem\WmiPrvSE.exe owner: SYSTEM domain: NT AUTHORITY

PID: 3160 name: C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Administrator domain: TheHaneys-PC

PID: 5492 name: C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe owner: SYSTEM domain: NT AUTHORITY

PID: 5500 name: C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe owner: SYSTEM domain: NT AUTHORITY

PID: 5804 name: C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe owner: SYSTEM domain: NT AUTHORITY

PID: 5720 name: C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe owner: SYSTEM domain: NT AUTHORITY

PID: 5920 name: C:\Windows\System32\SearchFilterHost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 5692 name: C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe owner: SYSTEM domain: NT AUTHORITY

PID: 5700 name: C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe owner: SYSTEM domain: NT AUTHORITY

PID: 5732 name: C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe owner: SYSTEM domain: NT AUTHORITY

PID: 5740 name: C:\Program Files (x86)\Lavasoft\Ad-Aware\AWSC.exe owner: SYSTEM domain: NT AUTHORITY

Startup items:

Name: AdobeCS5ServiceManager

imagepath: "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

Name: CTxfiHlp

imagepath: CTXFIHLP.EXE

Link to post
Share on other sites

What do you mean they'll have to be restored in the removal forum? Just that I'll need to find help there?

Here's the MBAM log you requested:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8393

Windows 6.1.7601 Service Pack 1

Internet Explorer 8.0.7601.17514

12/18/2011 4:13:22 PM

mbam-log-2011-12-18 (16-13-18).txt

Scan type: Full scan (C:\|)

Objects scanned: 345511

Time elapsed: 5 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> No action taken.

Link to post
Share on other sites

  • Staff

Yes in this post the instructions are:

http://forums.malwarebytes.org/index.php?showtopic=102318&view=findpost&p=506029

The experts there are very good and should help you getting the services you need restored. I have seen the fakealerts delete the update service in the past. not sure if thats what u are talking about.

I am in research more about files and mbam removal and not up to date with the latest manual fixes and such.

Can you submit that file detected as bitminer to the false positive forum section. You can put attn shadowwar.

Just make a new post in this forum and attach the file. U may have to zip it to attach it.

http://forums.malwarebytes.org/index.php?showforum=42

Thanks!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.